As if it were not bad enough that a remote non-password protected kettle on your network could compromise your security, another unlikely potential threat has emerged, this time relating to watches.
A ‘wide-open’ app-building API would let an attacker build a malicious application that could access Fitbit user data, & send it to any server.
Kev Breen, Director of Cyber Threat Research for Immersive Labs, made a proof-of-concept for just that possibility, after realising that Fitbit devices are full of sensitive personal data.
“Essentially, the developer API could send device type, location & user information including gender, age, height, heart rate & weight,” Breen explained.
“It could also access calendar information. While this does not include PII profile data, the calendar invites could expose additional information such as names & locations.”
Since all of this information is available via the Fitbit application developer API, it was simple to create an application to carry out an attack.
The Fitbit Gallery
Breen’s work resulted in a malicious watch face, which he was then able to make available through the Fitbit Gallery (where Fitbit shows some 3rd-party & in-house apps). So, the spyware appears genuine, & makes it more likely that it would be downloaded.
“Using a dashboard used by development teams to preview apps, I submitted our spyware and soon had our own URL at https://gallery.fitbit.com/details/<redacted>,” he explained.
“Our spyware was now live on fitbit.com. It is important to note that while Fitbit doesn’t count this as ‘available for public download’, the link was still accessible in the public domain & our ‘malware’ was still downloadable.”
Increasing the feel of genuineness, when the link was clicked on any mobile device, it opened inside the Fitbit app with “all thumbnails perfectly rendered as if it were a legitimate app,” Breen commented. “From there, it was just a quick click to download & install, which I did with both Android & iPhone.”
Breen also found that Fitbit’s fetch API allows the use of HTTP to internal IP ranges, which he abused to turn the malicious watch face into a ‘primitive’ network scanner.
“With this functionality, our watch face could become a threat to the enterprise,” he suggested. “It could be used to do everything from identifying & accessing routers, firewalls & other devices, to brute-forcing passwords & reading the company intranet – all from inside the app on the phone.”
Following contacting Fitbit about these issues, Breen related that the company was responsive & agreed to make the necessary changes to mitigate future breaches.
“The trust of our customers is paramount, & we are committed to protecting consumer privacy & keeping data safe,” Fitbit explained, in a statement. “We responded immediately when contacted by this researcher & worked quickly & collaboratively to address the concerns they raised. We are not aware of any actual compromise of user data.”
Fitbit has added a warning message for users within the UI when installing an app from a private link, & it has made it easier for consumers to identify which installed apps/clocks on the mobile device are not publicly listed.
Breen commented that Fitbit also has committed to adjusting default permission settings during the authorisation flow to being opted out by default.
Given the ease of uploading the malicious app to the gallery, “we were advised that apps submitted to the Fitbit Gallery for public download undergo manual review, & that obvious spyware or applications masquerading as something else are likely to be caught & blocked from being published.”
However, Breen’s malicious watch face was still publicly accessible as of early last Fri., but It was removed later in the day.
“We encourage consumers to only install applications from sources they know & trust & to be mindful of what data they’re sharing with 3rd parties,” Fitbit concluded. “We give our users control over what data they share & with whom.”
Fitbit is not alone in warning of internet-of-things threats. The rising numbers of IoT devices coming online daily is making it difficult for the security community to stay ahead of malicious players.
In Sept., researchers realised the Mozi botnet peer-to-peer malware accounted for a full 90% of traffic on IoT devices. Also, Bluetooth spoofing bug was recently found to leave billions of devices vulnerable.
Even a connected male chastity device was recently found to be easily hacked, leaving the unsuspecting user stuck, & in need of rescue.
As the rest of the industry catches up, it is end users who need to be able to take precautions to protect data.
Breen offers this advice; “if in doubt, don’t install it.”